Hi all, I‘m preparing a new section on Refresh Token best practices for the Security BCP. I‘m wondering whether anyone has implemented a binding of the refresh token‘s expiration/revocation with the state of the session the refresh token was issued in/for. So do you revoke refresh tokens when the user logs out from the AS or the session terminated for other reasons?
kinds regards, Torsten.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth